The network is not back yet. But it is moving. THORChain’s developers pushed patch v3.18.1 to nodes on May 27, approved governance proposal ADR028, and opened a live bounty window for the hacker who drained $10.17 million from the protocol on May 15.
Swaps remain offline. No dilution. No panic minting. The protocol is absorbing the loss through Protocol-Owned Liquidity first, covering whatever POL cannot handle through proportional distribution to synthetic asset holders. RUNE holders watching price action on BingX are not facing token inflation to fill the gap.
The Bounty Is Open. The Clock Is Running.
With ADR028 now ratified by node operators, the bounty window is officially active. The exploiter can still return a portion of the stolen funds. The protocol has committed to absorbing the remaining shortfall through POL, and the exact figures are still being finalized ahead of a follow-up announcement.
As THORChain posted on X, nodes have upgraded to v3.18.1, which patches the vulnerability and restores Rujira Network’s ability to manage credit accounts, including borrow and repay functions. The next step is v3.19.0, currently under development with additional fixes being incorporated before stagenet testing begins.
The target is stagenet deployment by end of day May 27, though the official update notes the exact timeline is still unconfirmed. Once the stagenet run clears, node operators will be asked to upgrade quickly to bring the network back online safely.
As fincontrarian posted on X, the protocol is moving carefully through patching, testing, and auditing before mainnet returns. “Security and stability come first,” the post read, summarizing the current priority order inside the developer and THORSec teams.
One Detail Most Coverage Missed
The part getting less attention: tss-lib has been temporarily moved to closed source. THORSec is conducting a full security audit and remediation process on the threshold signature library, and keeping the repository public during that window would expose ongoing fix work before it is complete.
As XBToshi posted on X, the decision drew sharp reaction: “security through obscurity is the ultimate white flag in crypto.” The post acknowledged the builders working to bring the network safely back online after ADR028 approval but argued the move signals how fragile complex stateful architecture can become under pressure. “When the architecture collapses, the only fallback is centralized web2 panic mode,” XBToshi wrote, quoting the THORChain official update.
It is a real tension. A cross-chain DEX going partially closed-source to patch a core cryptographic library sits uncomfortably against the permissionless framing that DeFi is built on. THORChain says the repository reopens once the audit completes. The timeline for that is not set.
The exploit itself traced back to a node operator who churned into the active validator set on May 13, just two days before the attack. That operator allegedly reconstructed a vault private key through progressive leakage of GG20 cryptographic material, then bypassed the normal signing ceremony to drain the vault through unauthorized outbound transactions.
Recovery From the Ground Up
Steve Tones on X described the slow-and-steady approach as the right call: the ADR028 approval and live audits signal that security was being prioritized over speed. Godson Eze, posting on X, noted that v3.19.0 testing felt solid and flagged curiosity around how sentiment plays out on BingX once mainnet returns.
As Massive posted on X, with ADR028 approved, the hacker bounty live, and protocol liquidity expected to cover remaining losses, the next signal worth watching is how $RUNE prices respond once swaps are restored.
Bitcoin open interest climbed 12% to $18.4 billion on May 13, per Coinglass data, a reminder that the broader market was moving hard around the same window that THORChain’s exploit unfolded. For RUNE holders specifically, the absence of dilution is the number that matters right now, not the recovery timeline.
One condition that could complicate the restart: if v3.19.0 stagenet testing reveals additional vulnerabilities requiring another patch cycle, the mainnet return date gets pushed further. THORSec and the development team have not ruled that scenario out, and no firm mainnet date has been given.
The bounty window, the stagenet push, and the tss-lib audit are all running in parallel. Whether the exploiter returns funds before the window closes is the variable no governance vote can control.
